t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add: user totp 2fa

Browse source
This commit is contained in:
trisua 2025-04-04 21:42:08 -04:00
parent 20aae5570b
commit 205fcbdcc1
29 changed files with 699 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

4
crates/app/src/routes/api/v1/auth/images.rs
View file

@ -43,7 +43,7 @@ pub struct AvatarSelectorQuery {
}
/// Get a profile's avatar image
/// `/api/v1/auth/profile/{id}/avatar`
/// `/api/v1/auth/user/{id}/avatar`
pub async fn avatar_request(
Path(selector): Path<String>,
Extension(data): Extension<State>,
@ -94,7 +94,7 @@ pub async fn avatar_request(
}
/// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner`
/// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request(
Path(username): Path<String>,
Extension(data): Extension<State>,

5
crates/app/src/routes/api/v1/auth/mod.rs
View file

@ -140,6 +140,11 @@ pub async fn login_request(
return (None, Json(Error::IncorrectPassword.into()));
}
// verify totp code
if !data.check_totp(&user, &props.totp) {
return (None, Json(Error::NotAllowed.into()));
}
// update tokens
let mut new_tokens = user.tokens.clone();
let (unhashed_token_id, token) = User::create_token(&real_ip);

132
crates/app/src/routes/api/v1/auth/profile.rs
View file

@ -1,9 +1,11 @@
use crate::{
State, get_user_from_token,
get_user_from_token,
model::{ApiReturn, Error},
routes::api::v1::{
DeleteUser, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole, UpdateUserUsername,
DeleteUser, DisableTotp, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole,
UpdateUserUsername,
},
State,
};
use axum::{
Extension, Json,
@ -11,9 +13,12 @@ use axum::{
response::{IntoResponse, Redirect},
};
use axum_extra::extract::CookieJar;
use tetratto_core::model::{
auth::{Token, UserSettings},
permissions::FinePermission,
use tetratto_core::{
model::{
auth::{Token, UserSettings},
permissions::FinePermission,
},
DataManager,
};
pub async fn redirect_from_id(
@ -264,3 +269,120 @@ pub async fn delete_user_request(
Err(e) => Json(e.into()),
}
}
/// Enable TOTP for a user.
pub async fn enable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
match data.enable_totp(id, user).await {
Ok(x) => Json(ApiReturn {
ok: true,
message: "TOTP enabled".to_string(),
payload: Some(x),
}),
Err(e) => Json(e.into()),
}
}
/// Disable TOTP for a user.
pub async fn disable_totp_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
match data.update_user_totp(id, &String::new(), &Vec::new()).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "TOTP disabled".to_string(),
payload: (),
}),
Err(e) => Json(e.into()),
}
}
/// Refresh TOTP recovery codes for a user.
pub async fn refresh_totp_codes_request(
jar: CookieJar,
Path(id): Path<usize>,
Extension(data): Extension<State>,
Json(req): Json<DisableTotp>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match get_user_from_token!(jar, data) {
Some(ua) => ua,
None => return Json(Error::NotAllowed.into()),
};
if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
return Json(Error::NotAllowed.into());
}
// check totp code
let other_user = match data.get_user_by_id(id).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
if !data.check_totp(&other_user, &req.totp) {
return Json(Error::NotAllowed.into());
}
// ...
let recovery_codes = DataManager::generate_totp_recovery_codes();
match data.update_user_totp(id, &user.totp, &recovery_codes).await {
Ok(()) => Json(ApiReturn {
ok: true,
message: "Recovery codes refreshed".to_string(),
payload: Some(recovery_codes),
}),
Err(e) => Json(e.into()),
}
}
/// Check if the given user has TOTP enabled.
pub async fn has_totp_enabled_request(
Path(username): Path<String>,
Extension(data): Extension<State>,
) -> impl IntoResponse {
let data = &(data.read().await).0;
let user = match data.get_user_by_username(&username).await {
Ok(u) => u,
Err(e) => return Json(e.into()),
};
Json(ApiReturn {
ok: true,
message: "User exists".to_string(),
payload: Some(!user.totp.is_empty()),
})
}

2
crates/app/src/routes/api/v1/auth/social.rs
View file

@ -36,7 +36,7 @@ pub async fn follow_request(
.create_notification(Notification::new(
"Somebody has followed you!".to_string(),
format!(
"You have been followed by [@{}](/api/v1/auth/profile/find/{}).",
"You have been followed by [@{}](/api/v1/auth/user/find/{}).",
user.username, user.id
),
id,

14
crates/app/src/routes/api/v1/communities/images.rs
View file

@ -57,7 +57,7 @@ pub async fn avatar_request(
}
/// Get a profile's banner image
/// `/api/v1/auth/profile/{id}/banner`
/// `/api/v1/auth/user/{id}/banner`
pub async fn banner_request(
Path(id): Path<usize>,
Extension(data): Extension<State>,
@ -120,9 +120,11 @@ pub async fn upload_avatar_request(
Err(e) => return Json(e.into()),
};
if auth_user.id != community.owner && !auth_user
if auth_user.id != community.owner
&& !auth_user
.permissions
.check(FinePermission::MANAGE_COMMUNITIES) {
.check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into());
}
@ -173,9 +175,11 @@ pub async fn upload_banner_request(
Err(e) => return Json(e.into()),
};
if auth_user.id != community.owner && !auth_user
if auth_user.id != community.owner
&& !auth_user
.permissions
.check(FinePermission::MANAGE_COMMUNITIES) {
.check(FinePermission::MANAGE_COMMUNITIES)
{
return Json(Error::NotAllowed.into());
}

62
crates/app/src/routes/api/v1/mod.rs
View file

@ -104,57 +104,58 @@ pub fn routes() -> Router {
post(auth::images::upload_banner_request),
)
// profile
.route("/auth/user/{id}/avatar", get(auth::images::avatar_request))
.route("/auth/user/{id}/banner", get(auth::images::banner_request))
.route("/auth/user/{id}/follow", post(auth::social::follow_request))
.route("/auth/user/{id}/block", post(auth::social::block_request))
.route(
"/auth/profile/{id}/avatar",
get(auth::images::avatar_request),
)
.route(
"/auth/profile/{id}/banner",
get(auth::images::banner_request),
)
.route(
"/auth/profile/{id}/follow",
post(auth::social::follow_request),
)
.route(
"/auth/profile/{id}/block",
post(auth::social::block_request),
)
.route(
"/auth/profile/{id}/settings",
"/auth/user/{id}/settings",
post(auth::profile::update_user_settings_request),
)
.route(
"/auth/profile/{id}/role",
"/auth/user/{id}/role",
post(auth::profile::update_user_role_request),
)
.route(
"/auth/profile/{id}",
"/auth/user/{id}",
delete(auth::profile::delete_user_request),
)
.route(
"/auth/profile/{id}/password",
"/auth/user/{id}/password",
post(auth::profile::update_user_password_request),
)
.route(
"/auth/profile/{id}/username",
"/auth/user/{id}/username",
post(auth::profile::update_user_username_request),
)
.route(
"/auth/profile/{id}/tokens",
"/auth/user/{id}/tokens",
post(auth::profile::update_user_tokens_request),
)
.route(
"/auth/profile/{id}/verified",
"/auth/user/{id}/verified",
post(auth::profile::update_user_is_verified_request),
)
.route("/auth/profile/me/seen", post(auth::profile::seen_request))
.route(
"/auth/profile/find/{id}",
get(auth::profile::redirect_from_id),
"/auth/user/{id}/totp",
post(auth::profile::enable_totp_request),
)
.route(
"/auth/profile/find_by_ip/{ip}",
"/auth/user/{id}/totp",
delete(auth::profile::disable_totp_request),
)
.route(
"/auth/user/{id}/totp/codes",
post(auth::profile::refresh_totp_codes_request),
)
.route(
"/auth/user/{username}/totp/check",
get(auth::profile::has_totp_enabled_request),
)
.route("/auth/user/me/seen", post(auth::profile::seen_request))
.route("/auth/user/find/{id}", get(auth::profile::redirect_from_id))
.route(
"/auth/user/find_by_ip/{ip}",
get(auth::profile::redirect_from_ip),
)
// notifications
@ -196,6 +197,8 @@ pub fn routes() -> Router {
pub struct LoginProps {
pub username: String,
pub password: String,
#[serde(default)]
pub totp: String,
}
#[derive(Deserialize)]
@ -308,3 +311,8 @@ pub struct DeleteUser {
pub struct CreateIpBan {
pub reason: String,
}
#[derive(Deserialize)]
pub struct DisableTotp {
pub totp: String,
}